It’s been a long time since I’ve written a blog article about RBAC roles, especially in relation to Exchange. Because working in Exchange areas was my first job, I had the opportunity to have a sneak peek at this topic when a colleague suggested that we consider providing a scaled down permission level for EXO operations search and remove suspicious emails.
It’s always advisable to give the least amount of authorization for daily operational tasks, such as when an end user reports a suspicious spam email to the security team and helpdesk. There are circumstances when global admin is granted for this operation in this case, because by default there is no direct Azure AD built in roles for instance search & purge roles that is present in the compliance center.
Though there is no direct way to assign the permission via Azure AD roles we have the option to connect it to office 365 security and compliance and add this group to search & purge role. We are going to look out for providing such access via this blog.
We will use PIM to grant just-in-time access to Defender for Office 365 related tasks
In our case in this demo we are going to run this example with a user called Selvam who does not have any access apart from a regular user privilege’s. In our example Selvam will be a SOC Admin who is responsible for searching and deleting suspicious emails when an incident is reported.
The first task is to customize and add some permission entry for Selvam .
Navigate to security reader role in roles and administrator.
And go to role settings and here we need to tweak the activate maximum duration hours settings
In the next pane we can choose the role settings for example the duration hours to be 24 hours.
Its been almost a year that Microsoft has announced the new release in Azure Sentinel which provides us the opportunity to integrate MS Teams related activities that are recorded in the audit logs to Azure Sentinel. Enabling this feature benefits organization where there is a separate SOC team monitoring and analyzing the security posture as an ongoing operational procedure.
We still have the Microsoft native cloud app security which benefits in creating the alerting mechanism for MS-Teams related activities.But with the Log Analytics and Azure Sentinel we can do a lot more than it can be done from the Cloud App Security. We can further fine tune the alerting, create workbooks and dashboards for Microsoft Teams related activities which will be useful for Teams Monitoring.
To start with this new feature ,we need to enable this new option to ingest Teams Data into Azure Sentinel Work Spaces. This article can be followed to start with connecting office 365 with the Microsoft Cloud native SIEM Azure Sentinel.
In the previous post we had a look at how to group multiple azure log analytics queries ,group them and display them in one screen. There are few real challenges in displaying the queries directly from the workbook. Firstly they are not having the capability to auto refresh the live data until we reload the workbook. There is no option to fit the dashboard and customize them as per our requirement. Finally there is no option to set the refresh rate, setting up the local time zone and sharing them to the required persons to view them with read access.
Creating the dashboards is much easier and there are multiple ways to do them. In this post we will have a look at creating one from the workbook.
Inorder to create a workbook navigate to Azure Log Analytics Workspace – Click on WorkBooks – Select the workbook that needs to be created in dashboard.
Currently there is no option as per this uservoice to delegate the MFA reset action to help desk team via an admin role. As of now only the global admin have the required privileges to perform this action from the azure portal. In this article we had a look into how to reset this option by creating an automation account and integrating with Microsoft Flow. Though this is a good option there is another way where this action can be delegated via ManageEngine AD manager plus.
Most of the organizations have AD Manager plus and its features integrated on their on premise tenant. This can be used to execute office 365 and Azure AD operations in a hybrid environment. In this article we will have a look at the steps to integrate AD manager plus with Azure AD to delegate this action to the help desk team.
Below are the prerequisites :
AD manager plus server must be present in the hybrid domain. Not necessarily a hybrid domain it works well for cloud only accounts as well.
The connectivity to the Azure IPs and URLs are required to connect azure module connect-msolservice
Azure AD modules must be downloaded on the AD manager plus server.
AD delegation must be already assigned to the help desk team with AD management role.
Global admin account is required to specify them as encrypted credentials with key on the AD manager plus server. This global admin account will only be used by the manage engine AD manager server in the backend and not exposed to the helpdesk team.
In the previous post we looked on how to configure Azure Monitor Alerts for Critical events that occurs on Microsoft Windows Devices which can be used for monitoring the Teams Room Systems. With Azure Log Analytics we could leverage few more components that will help us to visualize the status of the systems which are monitored through selected event logs and the performance counters.
Creating the Workbooks and making them visualize purely depends on the data that is been ingested on the corresponding log analytics workspace. So at the first stage its very important that we are sending all the required logs and counters which is mandatory for visualizing the metrics.
Firstly before creating the workbooks we need to devise a strategy on how to build a skeleton for the dashboard. This is very important since there are multiple options available and need to understand what important data that needs to be projected on the dashboard.
In the previous post we had an overview of how to create Azure Log Analytics and configure them to collect data from windows systems. Once the information is ingested in the workspace we currently have a choice to make alarms and notify the responsible team dependent on various signal logics which will be useful on monitoring these devices.
These alerts are scoped to each log analytics workspace. It will be a smart thought to isolate the services ,group them on singular workspace and create separate alerts for critical events happening on these monitored devices.
In order to create the alerts Navigate to alerts on the same workspace – Click on New Alert Rule
Navigate to signal logic and choose the signal logic. There are multiple we need to see if any more interesting which suits our requirement can be added over here.
Now we have the required critical signals based on which the alert needs to be triggered. Usually the signal type will be from the collected events and the performance counters. In our scenario we could go with some default events from the list and also custom log search.
In a huge enterprise scale deployments there will be various teams who handles the services with multiple administrator accounts.These executives must be furnished with administrator accounts which are appropriate to their boundaries.Microsoft intune being a device,apps and office 365 administration management there are high prospects that this element may be used over various departments,applications,devices and from various areas. Microsoft Intune having lots of features and capabilities now most of the organizations are moving as managed tenant with Microsoft intune.
For instance there can be multiple app protection policies, device compliance policies, app configuration policies ,etc., are created for multiple services one for meeting room management, another for BYOD devices and for corporate windows devices. In these situations we need to create customized role based access control for each users.
Post the ignite sessions last month on Microsoft Teams, we have enhancements on security perspective that can be enabled which adds extra protection in any organization.
Inviting the external guest users to the teams channel have been a welcoming option for all of us which increases the communication between them and surges the productivity. However, there are few security guidelines that needs to be followed to ensure that our data is always secure even when they are shared outside the boundary. For instance, a guest account getting compromised where he is a member of a finance team will become a major security incident in any organization.
This article outlines the steps that can be carried over to enhance the security on Microsoft Teams guest accounts by enforcing the multi factor authentication.
Below are the steps to enforce the MFA on guest accounts:
First create a dynamic distribution group and target the guest account
Login to Azure AD Tenant with Admin privilege’s- Go to Groups – Create new group – make them security – membership type make them dynamic.
By using this article, we can start/stop VMs during off-business houses.This greatly benefits the customers especially in cost optimization and manual task overhead of performing this action manually. But we need to make sure that the VMs that we are selecting is present in the same subscription where the automation account and this schedule is created by selecting only the required VMs and excluding the other VMs.
Login to Azure portal
Go to ALL Services and Type Automation Account and Create Automation Account.
There might be a scenario where the environment has Azure AD synced users from local Active Directory. The mailboxes will be created directly in exchange online with no hybrid configured from the underlying time as a rule for new businesses.
Usually developers for customizing the login experience for different business units in their application consume the local extension AD attributes and its usually fine for fully on premise environments.
If we have exchange
installed in the environment , the active directory schema will be extended to
include user extensionattributes in the exchange mailbox properties.
There is another option of Using the Exchange Server install media, extend only the local Active Directory schema. Usually this option is not recommended. Doing this would add Exchange attributes to the local Active Directory. These attributes could then be set, and Azure AD Sync would then be configured to sync these attributes to Office 365.This option requires much testing, and there is always risk associated with AD schema changes.
Even in hybrid setup these values gets populated in Exchange online via exchange hybrid configuration for all users.
In the third scenario where we do not own a exchange hybrid and if the developer is using Azure AD via graph API and expecting these values on azure AD for the customization. In this case we have a better option of extending these values from the Azure AD connect by running them again and selecting only the required AD extension attributes.
I'm a Certified Microsoft Infrastructure/Cloud Architect with hands-on 14 years of International proven experience in Planning, Design, Execution, Integration, Operations, IT Management specialized in Messaging Platforms Microsoft Teams with Telephony, Skype for Business Voice, Microsoft Exchange, Intune Deployment, Microsoft Azure Infrastructure, and Cloud Security Implementations.
Over time have developed complete IT Implementation skills on Microsoft Infrastructure/Cloud projects within Multinational, Government, Construction, Leisure & Entertainment, Production, Automobile & Financial Industries.
I can be contacted through email email@example.com or through mobile +31 62 050 6978